While number-theoretic-based group signatures could be very efficient (e.g., ... For instance, an easy-to-implement and competitively efficient code-based group ... approach that, as far as we know, has not been considered in the literature before. .

Abstract—Certificateless public key cryptography was introduced by Al-Riyami and Paterson to overcome the key escrow problem of ID-PKC. In this paper, we present an efficient certificateless signature scheme using bilinear maps. The scheme can be proved secure in the strongest security model of certificateless signature schemes. In terms of computational cost, totally, only two pairing operations are required for signing and verification. It is more efficient than the other existing certificateless signature schemes secure against a super type I/II adversary. Index Terms—certificateless cryptography, certificateless signature, computational Diffie-Hellman problem, random oracle model.

I. I NTRODUCTION Identity-based public key cryptography (ID-PKC) was first introduced by Shamir [13] in 1984. In their setting, the public key of a user is just his identity such as his telephone number or email address. This simplifies certificate management procedures of public key infrastructure (PKI) in traditional public key cryptography. However, ID-PKC suffers from the key escrow problem. That is a third party, the Private Key Generator (PKG) who is responsible for the generation of private keys for users, knows the private key of every user in the system. In order to overcome this drawback, Al-Riyami and Paterson [1] invented a new paradigm called certificateless public key cryptography (CL-PKC). CL-PKC also uses a third party called Key Generation Center (KGC) to help a user to generate his secret key. However, the KGC only provides a partial private key for each user. The full private key is generated by the user who makes use of the partial private key obtained from the KGC and the secret information chosen by himself. Hence, CL-PKC removes the key escrow problem. The public key of the user is computed from the KGC’s public parameters and his secret information, and is published by the user himself. Related Works: Several certificateless signature (CLS) schemes have been presented since its first try in [1]. Huang et al. [8] pointed out a security drawback of the primal CLS scheme in [1] and defined the security model of CLS schemes. Later, Zhang et al. [17] improved the security model of CLS schemes and presented a more efficient CLS scheme. In [15], Yum and Lee presented a generic way to construct CLS schemes. However, Hu et al. [7] showed that their construction is insecure and presented a new construction. The security model of CLS schemes was further developed

in [7]. Recently, Choi et al. [5]1 , Yap el al. [14] presented some efficient CLS schemes whose securities were proved in the first security model of CLS schemes presented by Huang et al [8]. Unfortunately, Yap el al.’s scheme [14] is not secure and was broken [11], [16]. The reason is that this model does not essentially capture the most powerful ability of the Type I adversary. Up to now, the security of most of the existing CLS schemes were proved using the random oracle model. A concrete CLS scheme secure in the standard model was proposed by Liu et al. [10]. A new kind of Type II attack‘Malicious but Passive KGC attack’ is introduced in [2]. In the new attack, the KGC is assumed malicious at the very beginning of the Setup stage of the system. Very recently, Huang et al. [9] revisited the security models of certificateless signature schemes. They further classified the Type I/II adversary into three types, namely the normal, strong and super Type I/II adversary. Their ability are from weak to strong. A normal adversary can only obtain some messagesignature pairs which are valid under the original public key from the target signer. While a strong adversary can obtain message-signature pairs which are valid under the replaced public key if he can supply the secret value corresponding to the replaced public key. And a super adversary can obtain some message-signature pairs which are valid under the public key chosen by himself without supplying the secret value corresponding to the public key. In [4], [11], [16], they gave examples to show that a type I adversary can break a CLS scheme without knowing the secret value corresponding to the verification public key. So, to capture the most powerful ability of the adversary, we should consider it as a super type I/II adversary. Two new CLS schemes are also presented in [9]. The first one has a rather short signature length2 with its security proved in a very weak model where the Type I adversary is a normal Type I adversary. The other one is very efficient. It requires only two pairing operations. Its security was proved in the strongest security model where the Type I/II adversary is a super adversary. But it has a long signature length. So far as we know, there are only a few CLS schemes 1 They presented two efficient CLS schemes, the first one requires two pairing operations and the second one requires one pairing operation. But, the second one has a long signature length. 2 In [6], Du and Wen proposed a very efficient short CLS scheme, however, there’s some mistake in their proof.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

[9], [17] secure against a super type I/II adversary. Our Contribution: In this paper, we present a very efficient CLS scheme, which requires only two pairing operations. The signature length of our new scheme is 2/3 of Huang et al.’s scheme [9]. As to the security aspect, our new CLS scheme is proved secure in the strongest security model of CLS schemes where the Type I/II adversary is a super Type I/II adversary. We complete our security proof using the random oracle model [3] assuming the hardness of the computational Diffie-Hellman problem over groups with bilinear maps. II. P RELIMINARIES A. Bilinear Maps Let G1 be an additive group of prime order q and G2 be a multiplicative group of the same order. An admissible map e : G1 × G1 −→ G2 is called a bilinear map if it satisfies the following properties: 1) Bilinear: e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 , a, b ∈ Zq∗ . 2) Non-degeneracy: There exists P, Q ∈ G1 such that e(P, Q) = 1. 3) Computable: There exists an efficient algorithm to compute e(P, Q) for any P, Q ∈ G1 . Discrete Logarithm (DL) Problem: Given a generator g of a cyclic group G with order q, and h ∈ G∗ to find an integer a ∈ Zq∗ such that h = g a . Computational Diffie-Hellman (CDH) Problem: Given a generator g of a cyclic group G with order q, and given (g a , g b ) for unknown a, b ∈ Zq∗ , to compute g ab . B. Framework of Certificateless Signature Schemes A CLS scheme consists of six algorithms [9]. The description of each algorithm is as follows. • Setup: This algorithm is run by the KGC that accepts as input a security parameter to generate a master-key and a list of system parameters params. • Partial-Private-Key-Extract: This algorithm is run by the KGC that accepts as input a user’s identity ID, a parameter list params and a master-key to produce the user’s partial private key DID . • Set-Secret-Value: This algorithm is run by a user that accepts as input a parameter list params and this user’s identity ID to produce the user’s secret value xID . • Set-Public-Key: This algorithm is run by a user that takes as input a parameter list params, this user’s identity ID and secret value xID to produce the public key PID for this user. • Sign: This algorithm is run by a particular user that accepts a parameter list params, a message M ∈ M(M is the message space), the user’s identity ID, public key PID , partial private key DID and secret value xID to produce a signature σ on message M . • Verify: This algorithm is run by a verifier that accepts a message M , a signature σ, a parameter list params, a signer’s identity ID and corresponding public key PID and to output true if the signature is valid, or ⊥ otherwise.

C. Adversarial Model of Certificateless Signature Schemes There are two types of adversaries namely Type I adversary and Type II adversary with different capabilities in CL-PKC. A Type I adversary AI does not have access to the master-key, but he has the ability to replace the public key of any entity with a value of his choice. While a Type II Adversary AII has access to the master-key but cannot replace the target user’s public key. The security of a CLS scheme is modeled via the following two games between a challenger C and an adversary AI or AII . Game 1 (for Type I Adversary) Setup: C runs the Setup algorithm, takes as input a security parameter to obtain a master-key and the system parameter list params. C then sends params to the adversary AI while keeps the master-key secret. Attack: The adversary AI can perform a polynomially bounded number of the following types of queries in an adaptive manner. • Partial-Private-Key Queries P P K(IDi ): AI can request the partial private key of any user with identity IDi . In response, C outputs the partial private key Di of the user. • Public-Key Queries P K(IDi ): AI can request the public key of a user whose identity is IDi . In response, C outputs the public key for identity IDi . • Secret-Value Queries SV (IDi ): AI can request the secret value of a user whose identity is IDi . In response, C outputs the secret value xi for identity IDi (It outputs ⊥, if the user’s public key has been replaced). • Public-Key-Replacement Queries P KR(IDi , Pi ): For any user whose identity is IDi , AI can choose a new public key Pi . AI then sets Pi as the new public key of this user. C will record this replacement. • Sign Queries S(Mi , IDi , Pi ): AI can request a user’s (whose identity is IDi ) signature on a message Mi . On receiving a query S(Mi , IDi , Pi ), C generates a signature σi on message Mi and returns σi as the answer. It is required that σi is a valid signature on message Mi under identity IDi and public key Pi (Pi is chosen by AI , and AI need not supply the secret value which is used to generate Pi ). Forgery: Finally, AI outputs a tuple (M ∗ , σ ∗ , ID∗ , PID∗ ). We say that AI wins Game 1, if 1) σ ∗ is a valid signature under identity ID∗ and the corresponding public key PID∗ . 2) AI has never requested the Partial-Private-Key of the user whose identity is ID∗ . ∗ ) has never been submitted during the 3) S(M ∗ , ID∗ , PID Sign Queries. Game 2 (for Type II Adversary ) Setup: C runs the Setup algorithm, takes as input a security parameter to obtain the system parameter list params and also the system’s master-key. C then sends params and master-key to the adversary AII .

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.

Attack: The adversary AII can perform a polynomially bounded number of the following types of queries in an adaptive manner. • Public Key Queries P K(IDi ): AII can request the public key of a user (whose identity is IDi ) of his choice. In response, C outputs the public key Pi for identity IDi . • Secret-Value Queries SV (IDi ): AII can choose a user whose identity is IDi , and request this user’s secret value. In response, C outputs the secret value xi for identity IDi (It outputs ⊥, if the user’s public key has been replaced). • Public-Key-Replacement Queries P KR(IDi , Pi ): For any user whose identity is IDi , AII can choose a new public key Pi . AII then sets Pi as the new public key of this user. • Sign Queries S(Mi , IDi , Pi ): AII can request a user’s (whose identity is IDi ) signature on a message Mi . On receiving a query S(Mi , IDi , Pi ), C replies with a signature σi on message Mi for the user whose identity is IDi and public key is Pi . (Pi is chosen by AII , and AII need not supply the secret value which is used to generate Pi ). Forgery: Finally, AII outputs a tuple (M ∗ , σ ∗ , ID∗ , PID∗ ). We say that AII wins Game 2, if this tuple satisfies the following requirements: 1) σ ∗ is a valid signature on message M ∗ under identity ID∗ and the corresponding public key PID∗ , i.e. it passes the verification algorithm. 2) AII has never requested the Secret-Value of the user whose identity is ID∗ . 3) AII has not requested the Public-Key-Replacement query on ID∗ . 4) S(M ∗ , ID∗ , PID∗ ) has never been queried during the Sign Queries. Definition 1: A CLS scheme is existentially unforgeable under adaptively chosen-message attack iff the success probability of any polynomially bounded adversary in the above two games is negligible. III. O UR C ERTIFICATELESS S IGNATURE S CHEME A. An Efficient Construction The construction of our efficient CLS scheme is as follows. • Setup: Given a security parameter , the KGC chooses a cyclic additive group G1 which is generated by P with prime order q, chooses a cyclic multiplicative group G2 of the same order and a bilinear map e : G1 × G1 −→ G2 . The KGC also chooses a random λ ∈ Zq∗ as the master-key and sets PT = λP , chooses cryptographic hash functions H1 : {0, 1}∗ −→ G1 , H2 : {0, 1}∗ −→ Zq∗ , H3 : {0, 1}∗ −→ Zq∗ . The system parameter list is params=(G1 , G2 , e, P, PT , H1 , H2 , H3 ). The message ∗ space is M = {0, 1} . • Partial-Private-Key-Extract: This algorithm accepts params, master-key λ and a user’s identity IDi ∈ {0, 1}∗ . It generates the partial private key for the user as follows.

The comparison shows that in the signing phase our CLS scheme requires only two scalar multiplication in G1 . It is faster than the schemes in [9], [17]. In the verification phase, our scheme also yields a computational advantage. It requires the least computational effort compared with the other two. In addition, the signature length of our scheme is about 2/3 of that of Huang et al.’s scheme [9]. And the public key of our scheme requires one point in G1 , which is the same as that in the other two schemes [9], [17]. 3 We add the system parameter P to the hash function H in order to avoid 1 the malicious KGC attack.

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2008 proceedings.